No D'oh! DNS-over-HTTPS passes Mozilla performance test

Privacy-protecting domain name system standard closer

As the DNS-over-HTTPS (DoH) secured domain querying draft creeps towards standardisation, Mozilla has run a test to see if applying encryption brings too heavy a performance penalty.

One somewhat-surprising outcome: for some queries, performance improved using DoH.

As Mozilla discusses here, run-of-the-mill DNS requests over DoH take a small performance hit.

However, the test team believes a six millisecond slowdown is acceptable, given that users get better security and privacy out of DoH.

The experiment found that from the billion DNS requests it gathered, “the slowest DNS transactions performed much better with the new DoH based system than the traditional one – sometimes hundreds of milliseconds better.”

Why it matters

DNS is one of the Internet's oldest pieces of infrastructure, and both requests (you ask a DNS server for the IP address of theregister.co.uk) and responses (104.18.226.129) are unencrypted.

That opens privacy and security gaps: intermediaries can track which servers you connect to, and responses can be spoofed (for example, to pipe a connection through a hostile server).

That paper discovered 8.5 per cent of the networks the authors tested were intercepting DNS requests, and found a large number of networks using deprecated DNS software. Mozilla's Patrick McManus (one of DoH's two authors) hypothesised two possible reasons for the speed-up.

“First, is the consistency of the service operation – when dealing with thousands of different operating system defined resolvers there are surely some that are overloaded, unmaintained, or forwarded to strange locations," he said. "Second, HTTP’s use of modern loss recovery and congestion control allow it to better operate on very busy or low-quality networks.”

The post said Mozilla will continue its DoH experimentation in advance of a full-scale deployment, which will in part depend on the progress of the standard.

That's drawing closer, with the IETF putting the DoH draft into the RFC editing queue earlier this month (gaining “request for comment” status formalises a document becoming an Internet standard).

In parallel with the progress of the standard, a growing number of organisations are hosting endpoints to handle DoH queries.

Another Mozilla developer, Daniel Stenberg, posted a list of DoH endpoints here. There are now three “big names” in the list, with PowerDNS launching its server last week. ®